Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

alert on deleted data

troywollenslege
Path Finder
‎03-20-2012 01:39 PM

Trying to look through the _internal logs in realtime to fire an alert if anyone tries to delete files with | delete

All searches I try will find the search itself (thus always firing).

Thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

View solution in original post

Reply
Solved! Jump to solution

awjohnson
Explorer
‎03-25-2014 10:38 AM

This is the search I'm running to monitor for delete attempts:

index=_audit sourcetype=audittrail "|" "delete" NOT "search='search index=_audit"

I'm searching the index of _audit and the sourcetype of auditrail for | and delete. Then so that my searches for delete activity do not generate alerts, I exclude searches of searches that include delete.

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 11:09 AM

Thx. I was using _internal, audit seems to work better;

index=_audit "action=search" search="*delete'" | table user info search
This is the search that I am going to run, seems to work with the caviot that there may be some false positives, which I am ok with.

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-21-2012 10:36 AM

Put a crazy string in your search, like so:

 index=_audit "action=search" search=*delete* NOT dfsdkljwkwtw

This will prevent your search from showing up in the results.

You might want to refine it a big using a regex to look for | delete, |delete, | delete, etc.

Reply
Solved! Jump to solution

lguinn2
Legend
‎03-20-2012 10:17 PM

In 4.3 -

You can do the realtime alert on a rolling window, which gives you the opportunity to set a custom condition. In the custom condition, test for _time != now()

"now" is the time that the search started...

I am not sure that this will work, but I think it should...

0 Karma
Reply
Solved! Jump to solution

troywollenslege
Path Finder
‎03-21-2012 09:22 AM

Maybe wasn't clear. I can do the search the problem is that when I search for someone deleting data, the search itself is found. So i woudl get alerted every time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...